Monday, March 7, 2016

A Big Implicit Requirement

I’ve written
about implicit requirements in CIP versions 5 and 6 previously; these are tasks
the entity needs to do to comply with the v5/v6 requirements, that aren’t
actually themselves specified as requirements. An example of implicit
requirements is identification of EACMS, PACS, ESPs, and Protected Cyber
Assets. Even though many requirements are written on the assumption that the
entity has identified these, the entity is never required actually to identify
them.[i] The
requirement is implicit, but obviously must be followed nevertheless.

Over the
last six months or so, I have been putting together a list of implicit
requirements in CIP v5. A few of them currently say something like this: “Compliance with this requirement must be
done on the level of each component of a BCS, not just on the BCS level.” What
this means is that, even though the requirement in question (like most CIP
v5/v6 requirements) is applicable to BES Cyber Systems, it is really the
components of each BCS (all Cyber Assets, of course) that are in scope. I had
assumed this was only the case for a few requirements, including patching and
anti-malware. Obviously, both of these requirements are only effective if they
apply on the BCS component level.

However, I had the good fortune to be asked
to address MISO’s CIP User Group recently, and in a different part of the
meeting there was a discussion of the issue of BCS vs. components. It was
pointed out that there are actually many more requirements where the components,
not the BCS themselves, are in scope than I had thought. I went back to the standards and found the
following requirements to be component-level ones:

All the requirements of CIP-007;

All the requirements of CIP-009;

All the requirements of CIP-010; and

CIP-011 R2

And if you think about this, the above are
almost all of the requirements that apply to cyber assets or systems. Most of
the other requirements apply at the organizational level (security policies,
physical protection, CSIRP, etc), even though they may state they apply to BCS.
Just about the only requirements that actually do apply to BCS – as far as I
can see – are CIP-004 R4 and R5, both of which have to do with access control. This
actually makes sense, since most systems require just one authentication that
applies to all components; you don’t have to authenticate for each component. These requirements definitely should apply on
the BCS level.

This is all quite interesting to me, because I
remember the history: The first draft of CIP v5, which was released (and
soundly voted down) in late 2011, used the BCA and BCS terms rather
promiscuously. This led to complaints, and the idea that there should just be
one term, not two. The next version standardized on the BCS term. I remember
the example brought up to justify this step was that authentication was almost
always done on the system level, so BCS was obviously the appropriate concept
to standardize on. I thought that was reasonable until the MISO meeting, when I
realized that BCS-level compliance is really the exception, not the rule.

However, if the SDT had standardized on BCA,
that would have been inadequate, too. The reason why is described in my
previous post,
where I point out that in some cases (depending on how they’ve identified their
BCS), the entity won’t have identified BCAs – just BCS. This is because
entities are neither explicitly nor implicitly required to identify BCAs in CIP
v5. If the SDT had chosen to standardize on BCA instead of BCS as the standard
for applicability, this would have in some cases forced the entity to do a lot
of extra work to identify BCAs, for no gain in either compliance or security.

I’m sure
this wasn’t the SDT’s reasoning, though. It must have been something like “If
we standardize on BCAs, then we will force entities to always comply on the
cyber asset level, not the system level. But if we standardize on BCS, they can
exercise either option.” In retrospect, there are two problems with this
reasoning. First, it assumes that all
BCS components are BCAs, which isn’t true, as discussed in the previous post.
So if the BCS components were to be the standard for applicability, the applicability
wording in all of the requirements listed above would have to be something like
“Cyber Assets that are components of BES Cyber Systems”, not “BES Cyber Assets”.

Second, by having all requirements apply to
BCS, the SDT ensured that the literal meaning of the words of CIP v5 was that only BCS were in scope. This means that
the only way literally to comply with v5 is to have a one-to-one correspondence
between BCA and BCS; that is, every BCA is its own BCS, period. Of course, this
effectively eliminates the advantage of having BCS in the first place[ii].
But – given that it’s clear that requirements like patch management need to be
applicable on the BCS component level – how can you assure these requirements
will be properly complied with other than by doing this?

However, in practice this isn’t a huge problem.
Even though the standards now say that only BCS are in scope, I’m sure the
regions have all made it clear at some point that they will audit on the
component level where appropriate, which means for the requirements listed
above. And an Interested Party pointed out to me that the evidence workbook
published by NERC last fall specifically states that, in the component-level
requirements, evidence is required for all “Cyber Assets that are members of (a
Medium or High BCS)”.

So does this discrepancy between the v5
wording and how entities will be complying with it pose a problem? The
situation is the same as the one I discussed in this post,
where I distinguished between enforceability in the strict and not-so-strict
senses. In the not-so-strict sense, CIP v5 will be perfectly enforceable even
with this problem, since there is agreement between both auditors and entities
that this is the correct way to comply.

This results in the same situation as what I
described in this
post regarding how entities and auditors are interpreting CIP-002-5.1 R1: They
are both interpreting these requirements in the same way, which means the
requirements are enforceable in the not-so-strict sense. But in the strict
sense, in my opinion these requirements will never be enforceable until their
applicability sections are rewritten to reflect that they apply on the
component level. It would be nice if that were on the v7 SDT’s agenda,
but it isn’t now.

The views and opinions expressed here are my own and don’t
necessarily represent the views or opinions of Deloitte Advisory.

[i]
In fact, there isn’t actually a requirement to identify BES Cyber Systems,
either. Where the word “identify” is used in CIP-002-5.1 R1.1 and R1.2, the
word really means “classify”. This is because Attachment 1 (where you are sent
to “identify” your High and Medium BCS), is written on the assumption that the
BCS have already been identified, and just need to be classified. Of course,
the lack of a requirement to identify BCS means there is no required
methodology to identify BCS. Naturally, this has led to a lot of confusion.

[ii]
I know some entities are taking this approach. As discussed in the previous
post, it does greatly simplify the BCS identification process, since it
eliminates a lot of the confusion caused by inconsistency and ambiguity in
CIP-002-5.1 R1. On the other hand, it probably does significantly increase the
compliance paperwork burden.